For certain parts of manual certificate replacement, you must stop all services and then start only the services that manage the certificate infrastructure. If you stop services only when needed, you can minimize downtime.
You have to stop and start services as part of the certificate replacement process.
- Do not stop services to generate new public/private key pairs or new certificates.
- If you are the only administrator, you do not have to stop services when you add a new root certificate. The old root certificate remains available, and all services can still authenticate with that certificate. Stop and immediately restart all services after you add the root certificate to avoid problems with your hosts.
- If your environment includes multiple administrators, stop services before you add a new root certificate and restart services after you add a new certificate.
- Stop services right before you delete a machine SSL certificate in VECS.